Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 03:47
Behavioral task
behavioral1
Sample
26e2911a59f6c13c7455c843f1e3125d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
26e2911a59f6c13c7455c843f1e3125d.exe
Resource
win10v2004-20231222-en
General
-
Target
26e2911a59f6c13c7455c843f1e3125d.exe
-
Size
44KB
-
MD5
26e2911a59f6c13c7455c843f1e3125d
-
SHA1
ed0a403a613e354bda3d796f185da603fa4c7935
-
SHA256
71b3661c3f6d53722ec93e1493ef0dbed85358569429d9f9a6d481ce3a5214c9
-
SHA512
5b9ba0eb342baab5eefff0fc2dfac4f8d7d2b2753bd65ef2ad6ee12729cbdee4f16430f15c8b74519b6dcc7234779a3f2f15994074ccb16e4b961c7e2e54e060
-
SSDEEP
768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFNgqHQjmALIuW/DJ5LDu:SKcR4mjD9r823FNCAF5fu
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3972 8AhYYBE1iXBp4Dn.exe 2708 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1928-0-0x0000000000A10000-0x0000000000A27000-memory.dmp upx behavioral2/memory/2708-9-0x0000000000AD0000-0x0000000000AE7000-memory.dmp upx behavioral2/memory/1928-7-0x0000000000A10000-0x0000000000A27000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 26e2911a59f6c13c7455c843f1e3125d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 26e2911a59f6c13c7455c843f1e3125d.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1928 26e2911a59f6c13c7455c843f1e3125d.exe Token: SeDebugPrivilege 2708 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1928 wrote to memory of 3972 1928 26e2911a59f6c13c7455c843f1e3125d.exe 16 PID 1928 wrote to memory of 3972 1928 26e2911a59f6c13c7455c843f1e3125d.exe 16 PID 1928 wrote to memory of 3972 1928 26e2911a59f6c13c7455c843f1e3125d.exe 16 PID 1928 wrote to memory of 2708 1928 26e2911a59f6c13c7455c843f1e3125d.exe 15 PID 1928 wrote to memory of 2708 1928 26e2911a59f6c13c7455c843f1e3125d.exe 15 PID 1928 wrote to memory of 2708 1928 26e2911a59f6c13c7455c843f1e3125d.exe 15
Processes
-
C:\Users\Admin\AppData\Local\Temp\26e2911a59f6c13c7455c843f1e3125d.exe"C:\Users\Admin\AppData\Local\Temp\26e2911a59f6c13c7455c843f1e3125d.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\8AhYYBE1iXBp4Dn.exeC:\Users\Admin\AppData\Local\Temp\8AhYYBE1iXBp4Dn.exe2⤵
- Executes dropped EXE
PID:3972
-